Apparatus method and medium for tracing the origin of network transmissions using n-gram distribution of data

ABSTRACT

A method, apparatus, and medium are provided for tracing the origin of network transmissions. Connection records are maintained at computer system for storing source and destination addresses. The connection records also maintain a statistical distribution of data corresponding to the data payload being transmitted. The statistical distribution can be compared to that of the connection records in order to identify the sender. The location of the sender can subsequently be determined from the source address stored in the connection record. The process can be repeated multiple times until the location of the original sender has been traced.

PRIORITY INFORMATION AND CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority from U.S. Provisional Application No.60/518,742 filed Nov. 12, 2003, and U.S. Provisional Application No.60/613,637 filed Sep. 28, 2004, both of which are incorporated herein byreference.

This application is related to co-pending application entitled“Apparatus Method And Medium For Identifying Files Using N-GramDistribution Of Data,” having Ser. No. ______, and co-pendingapplication entitled “Apparatus Method And Medium For Detecting PayloadAnomaly Using N-Gram Distribution Of Normal Data,” having Ser. No.______, both filed on even date herewith and incorporated by referencein their entirety.

STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH

This invention was made with United States Government support underagreement number F30602-02-2-0209 awarded by DARPA. The United StatesGovernment has certain rights in this invention.

BACKGROUND OF THE INVENTION Technical Field

The present invention relates to data analysis and, more particularly,to the detection of anomalous data transmissions.

Description of the Related Art

Network computer systems consist of processing sites (e.g., hostcomputers) that exchange data with each other. There are variousprotocols used by computers to exchange data. For example, TCP/IP is onenetwork protocol that provides the transport of data between computersthat are connected by a network. Each host computer is assigned a uniqueinternet protocol (IP) address, and data is exchanged between source IPaddresses and destination IP addresses to a destination port on thedestination host and from a source port on the source host. A portnumber corresponds to a particular service or application that “listens”for data sent to it on that port from some remote source host. Someports are standardized and assigned a typical well-known service. Forexample, web-based servers are typically assigned port 80 fortransmission of web requests delivered via TCP/IP packets with controlinformation according to the hypertext transfer protocol (HTTP) commandsthe web server expects. TCP/IP transfers such data in the form of“network packets” that consist of the identification of IP addresses,port numbers, control information, and payload. The payload is theactual data expected by the service or application. In the case of webtraffic, payload can consist, for example, of GET requests for web pagesrepresented by URL's.

As networks, such as the Internet, become more accessible to users, theamount of data transmitted significantly increases. This presents anopportunity for individuals to cause harm to the computers ofunsuspecting users. Worms and viruses, in particular, are well knowncauses for security breaches in computer systems. These constitutemalicious data sent to a service or application that exploits avulnerability (such as a buffer overflow providing root access to theworm's executable program) that causes the service or application to bedisabled, crash, or provide unauthorized privileges to an attacker. Somecommon examples include the recent Code Red, Nimda, and Sobig worms andviruses. Conventional systems designed to detect and defend systems fromthese malicious and intrusive events depend upon “signatures” or“thumbprints” that are developed by humans or by semi-automated meansfrom known prior bad worms or viruses. Currently, systems are protectedafter a worm has been detected, and a signature has been developed anddistributed to signature-based detectors, such as a virus scanner or afirewall rule.

In order to reduce the potential threat of attacks, a firewall isestablished to protect computers within a network. Firewalls arecomputer systems that typically stand at the gateway of a computernetwork or that reside on a network in front of a critical host orserver computer, and which inspect the traffic to and from the networkor server, and determine which traffic may proceed, and which trafficwill be filtered. Firewalls can also be implemented in the form ofsoftware on individual computers. As an example, propagating worms aretypically filtered by firewalls that have been preloaded with a“signature rule” that detects the appearance of a specific worm. When apacket and its payload “matches” a known signature string associatedwith a worm, the firewall would block the TCP/IP packets that deliveredthe worm, preventing the server from being attacked by that worm.

This approach suffers two fundamental problems. First, the signaturestrings associated with worms can only be constructed after the worm hasbeen detected. This means the worm was actually not detected on itsfirst appearance, and logically attacked at least one server, causingdamage to the server. Protection is not possible until a third party hasconstructed a signature string and deployed it broadly to all networksites and firewalls. Precious time can be lost during this process,which can typically require many days. During this time, the worm wouldhave successfully spread widely throughout the internet, damaging manythousands if not millions of hosts. This is because worms in particularpropagate rapidly on the Internet and infect and destroy systems at veryhigh speeds. Second, there are very many worms that have appeared on theinternet, and each of these have had distinct signature stringsconstructed for their detection which are each loaded into all of thefirewalls. This implies that over time firewalls must grow in complexityin order to store, process, and match many signature strings to eachpacket payload delivered to the gateway or server.

Various attempts have been made to detect worms by analyzing the rate ofscanning and probing from external sources which would indicate a wormpropagation is underway. Unfortunately, this approach detects the earlyonset of a propagation, and by definition, the worm has alreadysuccessfully penetrated a system, infected it, and started its damageand propagation.

Based on the foregoing, it would be beneficial to provide a systemcapable of detecting potentially harmful data being transmitted througha network. It would also be beneficial to provide a system capable ofdetermining whether potentially harmful data is a malicious program. Itwould be further beneficial to provide signatures to filter maliciousprograms such as worms and viruses upon an initial appearance of suchprograms.

SUMMARY OF THE INVENTION

These and other needs are addressed by the present invention, whereinpotentially harmful data being transmitted through a network can bedetected. One or more embodiments of the present invention utilizesstatistical analysis of data contained in a payload in order todetermine whether the payload is potentially harmful. The statisticalanalysis can be in the form of a byte value distribution of the datacontained in the payload. Data transmitted through the network iscompared to a model of “normal” data previously received by the networkin order to determine its likelihood of being harmful. The normal datareceived by the network can be determined by modeling traffic receivedover a set time period. Thus, the normal data represents the regularflow of traffic through the network and, therefore, can include gooddata, potentially harmful data, and noise. This normal data can then becollected and processed to create a model statistical distribution thatis compared to the statistical distribution of newly received data.

According to one or more embodiments of the present invention, a methodis provided for detecting anomalous payloads transmitted through anetwork. The method comprises the steps: receiving at least one payloadwithin the network; determining a length for data contained in the atleast one payload; generating a statistical distribution of datacontained in the at least one payload received within the network;comparing at least one portion of the generated statistical distributionto a corresponding portion of a selected model distributionrepresentative of normal payloads transmitted through the network;wherein the selected model payload has a predetermined length range thatencompasses the length for data contained in the at least one payload;and identifying whether the at least one payload is an anomalouspayloads based, at least in part, on differences detected between the atleast one portion of the statistical distribution for the at least onepayload and the corresponding portion of the model distribution.

According to one or more implementations, the differences between thestatistical distribution of the at least one payload and the modeldistribution are determined based on a distance metric between the two.The distance metric can optionally be calculated based on varioustechniques including, for example, a Mahalanobis distance. Otherimplementations of the invention are capable of determining whether ananomalous payload is a worm or virus. Signatures can optionally begenerated for any payloads determined to be a worm or virus.

According to one or more embodiments of the present invention, a methodis provided for modeling payload data received in a network. The methodcomprises the steps of: receiving a plurality of payload data in thenetwork; creating a payload length distribution for all payload datareceived; partitioning the payload length distribution into a pluralityof payload ranges; generating a statistical distribution for eachreceived payload data; and constructing a model payload for each payloadrange based on the statistical distributions of all received payloaddata encompassed by the payload length range.

According to at least one specific implementation, the model payload isconstructed based on the most recently received, or current, payloaddata. Also, one or more implementations of the present invention canautomatically detect when sufficient payload data has been collected toconstruct the model payload.

There has thus been outlined the more important features of theinvention and several, but not all, embodiments in order that thedetailed description that follows may be better understood, and in orderthat the present contribution to the art may be better appreciated.There are, of course, additional features of the invention that will bedescribed hereinafter and which will form the subject matter of theappended claims.

In this respect, before explaining one or more embodiments of theinvention in greater detail, it is to be understood that the inventionis not limited in its application to the details of construction and tothe arrangements of the components set forth in the followingdescription or illustrated in the drawings. Rather, the invention iscapable of other embodiments and of being practiced and carried out invarious ways. Also, it is to be understood that the phraseology andterminology employed herein are for the purpose of description andshould not be regarded as limiting.

As such, those skilled in the art will appreciate that the conception,upon which this disclosure is based, may readily be utilized as a basisfor the designing of other structures, methods and systems for carryingout the several purposes of the present invention. It is important,therefore, that the claims be regarded as including such equivalentconstructions insofar as they do not depart from the spirit and scope ofthe present invention.

These, and various features of novelty which characterize the invention,are pointed out with particularity in the appended claims forming a partof this disclosure. For a better understanding of the invention, itsoperating advantages and the specific benefits attained by its uses,reference should be had to the accompanying drawings and preferredembodiments of the invention illustrating the best mode contemplated forpracticing the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram conceptually illustrating a system fordetecting anomalous payloads in accordance with at least one exampleembodiment of the present invention.

FIG. 2 is a flow diagram illustrating the steps performed to modelpayload data received in a network according to one or more embodimentsof the present invention.

FIG. 3A is a graph illustrating a length distribution for payload datain accordance with one or more embodiments of the present invention.

FIG. 3B is a graph illustrating a length distribution for payload datain accordance with one or more embodiments of the present invention.

FIG. 4 is a statistical distribution of data contained in examplepayloads.

FIG. 5A is a rank ordered byte frequency count of the data contained inpayloads.

FIG. 5B is a rank ordered byte frequency count of the data shown in FIG.4.

FIG. 6A is an example payload signature Z-string corresponding to thedata in FIG. 5A.

FIG. 6B is an example payload signature Z-string corresponding to thedata in FIG. 5B.

FIG. 7 is a flowchart illustrating the steps performed to model payloaddata in accordance with one or more embodiments of the presentinvention.

FIG. 8 is a flowchart illustrating the manner in which payload data isautomatically collected according to one or more embodiments of thepresent invention.

FIG. 9 is a flow diagram illustrating the steps performed to detectanomalous payloads transmitted through a network.

FIG. 10 is a flowchart illustrating the steps performed to detectanomalous payloads according to one or more embodiments of the presentinvention.

FIG. 11 is a chart illustrating detection of an example worm.

FIG. 12 is a block diagram conceptually illustrating delivery ofdifferent file types to a computer over a network.

FIG. 13 is a flowchart illustrating the steps performed to identify filetypes according to one or more embodiments of the present invention.

FIGS. 14A-141 are graphs illustrating the statistical distribution ofdifferent file types.

FIG. 15 is a flowchart illustrating the steps performed to model a filetype according to one or more embodiments of the present invention.

FIG. 16 is a flowchart illustrating the steps performed to verify filetypes according to one or more embodiments of the present invention.

FIG. 17 is a flowchart illustrating the steps performed to identifymalicious programs according to one or more embodiments of the presentinvention.

FIG. 18 is a block diagram conceptually illustrating an attack acrossseveral computer systems.

FIG. 19 is a flowchart illustrating the steps performed to trace theorigin of a transmission according to one or more embodiments of thepresent invention.

DETAILED DESCRIPTION OF THE INVENTION

Reference now will be made in detail to one or more embodiments of theinvention. Such embodiments are provided by way of explanation of theinvention, which is not intended to be limited thereto. In fact, thoseof ordinary skill in the art will appreciate, upon reading the presentspecification and viewing the present drawings, that variousmodifications and variations can be made.

For example, features illustrated or described as part of one embodimentcan be used on other embodiments to yield a still further embodiment.Additionally, certain features may be interchanged with similar devicesor features not mentioned yet which perform the same or similarfunctions. It is therefore intended that such modifications andvariations are included within the totality of the present invention.

Prior to describing the details of the invention, a brief discussion ofsome of the notations and nomenclature used in the description will bepresented. Next, a description of example hardware useable in practicingthe invention will be presented.

NOTATIONS AND NOMENCLATURE

The detailed descriptions which follow may be presented in terms ofprogram procedures executed on a computer or network of computers. Theseprocedural descriptions and representations are a means used by thoseskilled in the art to effectively convey the substance of their work toothers skilled in the art. In order to execute such procedures, it maybe necessary to retrieve information from one or more external sourcesor input devices. Information can also be retrieved from various storagedevices that can be either internally or externally located. Uponcompletion of the execution phase, information may be output to varioussources such as a display device, magnetic storage device, non-volatilememory devices, volatile memory, and/or printers. The information canfurther be transmitted to remotely located devices using variouscommunication methods and networks such as wired, wireless, satellite,optical, etc.

The term “computer-readable medium” as used herein refers to any mediumthat participates in providing instructions to a processor forexecution. Such a medium may take many forms, including but not limitedto, non-volatile media, volatile media, and transmission media.Non-volatile media include, for example, optical or magnetic disks.Volatile media include dynamic memory installed in the computer.Transmission media can include coaxial cables, copper wire, and fiberoptics. Transmission media can also take the form of acoustic or lightwaves, such as those generated during radio frequency (RF) and infrared(IR) data communications. Common forms of computer-readable mediainclude, for example, hard disk, magnetic tape, any other magneticmedium, a CD-ROM, DVD, any other optical medium, a RAM, a PROM, andEPROM, a FLASH-EPROM, any other memory chip or cartridge, a carrier waveas described hereinafter, or any other medium from which a computer canread.

Overview of Payload-Based Anomaly Detection

The present invention has, as at least one goal, to analyze payload datareceived in a network. The analysis can be used for various purposesincluding, for example, modeling the normal flow of traffic through thenetwork. One or more embodiments of the present invention allow fordetecting the first occurrence of a worm at a network system gateway,and preventing it from entering in the first place. Thus, the worm canbe prevented from engaging in its destructive actions and itspropagation. Rather, one or more embodiments of the present inventionperform, in part, analysis and modeling “normal” payloads that areexpected to be delivered to a network service or application.

In one or more embodiments, the present invention includes a “learning”phase that gathers “normal” payloads, produces an n-gram (or “bytevalue”) statistical distribution of those payloads, which serves as amodel for “normal” payloads. The payloads gathered are not necessarilysafe payloads. Rather, these payloads represent information transmittedthrough the network during a regular period of time. This is referred toas a model payload. After this model payload has been produced in thelearning phase, an anomaly detection phase begins. The anomaly detectionphase captures incoming payloads to the network service/application. Theincoming payload is tested to determine differences from the modelpayload. This can be done, for example, by testing the payload for itsconsistency (or distance) from the model payload. In one or moreembodiments of the present invention, a “centroid” is calculated for allthe payload data that has been collected during the learning phase. Thecentroid model then functions as a model payload for detecting anomalouspayloads.

According to one or more embodiments of the present invention, anypayload determined to be too different from the normal (e.g., expected)payload is deemed anomalous and filtered or otherwise trapped from beingsent to the service/application. This can prevent potential infestationif the payload is subsequently determined to be a worm or virus. Thelevel of tolerance allowed can be set by the user, or automatically setbased on predetermined criteria. In one or more embodiments of thepresent invention, the centroid model can be computed based on the bytefrequency count distribution of the set of “normal” payloads analyzedduring the learning (or training) phase. At least one of the distancemetrics that can be used is the Mahalanobis distance metric. In one ormore embodiments of the present invention, the Mahalanobis distance canbe applied to a finite discrete histogram of byte value (or character)frequencies computed in the training phase. There are numerousengineering choices possible to implement the techniques of the presentinvention into a system and integrate the detector with standardfirewall, application proxy firewalls, or other network-based orhost-based computer security technology to prevent the first occurrenceof a worm from entering a secured network or host system. The anomalydetection system of the present invention can be based on thestatistical distribution of byte values in the network connection'spayload. According to one or more embodiments of the present invention,a profile can be built for the normal connection's payload which isspecific to the site and port, and then used to detect any significantdeparture of the new connection's payload as possible malicious attack.

As a first step, payloads that have passed through firewalls and havebeen delivered to host services and ports can be gathered via an archive(or log) or audited in real time. This data (i.e., the receivedpayloads) constitutes the training data from which a normal model (ormodel payload) is derived. The set of payloads can have a wide range oflengths depending, for example, upon the amount of data delivered to theservice.

As a second step, the distribution of payload lengths of the connectionscan be modeled and the length distribution partitioned into multipleranges. Generally, the length of the connections can vary across a verylarge range, e.g., from a few bytes to millions of bytes. Differentlength ranges, therefore, can have different types of payload. Forexample, the short HTTP connections usually contains letters and digits,and very long HTTP connections often contains pictures, video clips,executable files etc, which contain a lot of nonprintable characters.Thus, according to one aspect of the present invention, payload modelscan be built for different connection length ranges. This can haveadvantages over building only one model for all the connections.

According to one or more embodiments of the present invention, thedistribution of the connection length can be modeled without any priorassumptions through the use of kernel estimates. Kernel estimates smoothout the contribution of each observed data point over a localneighborhood of that point. Probability curves can be generated for theincoming/outgoing HTTP connections. The probability curves can bedivided according to accumulative probability values. The highprobability ranges will have small bin sizes, while the low probabilityranges will have large bin sizes.

Additionally, there are other techniques that can be used to partitionthe length ranges. For example, clustering algorithms of various sortscan be used, whereby the distance metrics employed can be based upondistance metrics applied to n-gram character distributions as describedmore fully below. Once the length distribution has been divided intospecific ranges, the training data of normal payloads is partitionedinto disjoint subsets of payloads that have lengths defined by thepartition. For example, if a length partition identifies one range as0-50, then all payloads of length bounded by 50 bytes will bepartitioned into this subset of payloads.

The next step involves modeling all of the normal payloads within eachlength range. For those connections whose length is within some lengthrange, the average byte frequency count can be computed for ASCII bytes0-255. This single byte frequency distribution is called a 1-gramdistribution. Distributions can also be built for 2-gram (twoconsecutive bytes), 3-gram (three consecutive bytes) etc. Furthermore,the frequency distribution can be mixed-gram, meaning that a mixture of,for example, 1-gram and 2-gram distributions is used. As used herein, amixed-gram distribution is a mixture of different size n-gram modelswithin the data. Examples of other mixtures can include, withoutlimitation: 1-gram and 3-gram; 1-gram and 4-gram; 2-gram and 3-gram;2-gram and 5-gram; 3-gram and 4-gram; 3-gram and 7-gram; 1-gram, 3-gram,and 4-gram; 1-gram, 5-gram, 7-gram, 3-gram; 2-gram, 5-gram, 3-gram,4-gram; etc. Virtually any mixture can be used. Using 1-gram as anexample, if the character frequency is ordered from highest to lowest,it is usually similar to a Zipf distribution, with a long tail.

At least one technique (but not the only technique) for detecting ananomalous payload is to determine whether any character or byte valueappears in the payload in question at a frequency of occurrence manytimes larger or smaller than what would be expected from the observedtraining data. Such character frequency together with each byte'svariance can characterize the payload within some range. Another way torepresent it is using a “normal payload signature string”, which is thecorresponding ASCII byte string of the above ordered frequencydistribution, where the characters or byte values that have a zerofrequency are ignored. Obviously if the variance of each byte isconsidered, a “neighborhood of normal payload signature strings” can beobtained, which means each byte has a neighborhood containing severalother bytes that can be possibly ordered in that place if the varianceis considered in addition to the averaged frequency.

New payloads can be tested to detect how far they depart from the normalmodel. This can be done, for example, by comparing the new payload'sbyte frequency distribution to the normal payload model. Once theprofile is built, there are multiple ways to compare some newconnection's payload against the profile to detect any large differenceor departure. Mahalanobis distance metric is one of those distancefunctions that compute the similarity between two frequencydistributions.

The formula of Mahalanobis distance is D(h₁,h)=(h₁−h)^(T) A(h₁−h), whereh is the profile feature vector computed from a previous training phase.The Covariance matrix B, b_(ij)=Cov(h ₁,h _(j)), and A=B⁻¹. Assuming thebytes are statistically independent, the matrix B will become diagonaland the elements are just the variance of the average frequency of eachbyte. To make the computation simple and fast, the simplifiedMahalanobis distance may be derived as D(h₁,h)=Σ_(i=0)^(n-1)(h₁[1]−h[i])/σ _(i), where n equals 256 if 1-gram is used. If thismethod is applied to the frequency distribution of 2-grams, there wouldbe n=256² or 65,536 bins. Various methods can be used to significantlyreduce this number. In general, the computation will be linear in thelength of the connection payload being tested.

Modeling Payload Data

Referring to the drawings, and initially to FIG. 1, a system 100 isshown for detecting anomalous payloads according to one or moreembodiments of the present invention. The payload detection system 100of FIG. 1 includes a server 110 that receives data (e.g., payloads orpayload data) from external sources such as, for example, the Internet116. The server 110 can also include a firewall 112 that assists inprotecting the server 110 from potential attacks. The firewall 112functions to filter certain data in order to reduce the possibility ofviruses and worms being transmitted to the server 110 from the Internet116. The server 110 can also be coupled to one or more workstations 114and/or other servers 118. The workstations 114 connect to and interactwith the Internet 116 through the server 110. More particularly, eachworkstation 114 transmits data to the server 110, and the server 110subsequently transmits this data to a destination via the Internet 116.Data from various sources can be received by the server 110 and filteredthrough the firewall 112. Once the data has been filtered, the server110 forwards the data to the workstations 114 in order to facilitateinteraction with remotely located devices.

The server 110 generates a statistical distribution for payload datareceived from the network (or Internet 116), as discussed in greaterdetail below. The server 110 can store a plurality of modeldistributions (i.e., model payloads) that represents, or correspond to,the statistical distributions of normal payloads received by the server110. The statistical distribution of new payload data received by theserver 110 is compared to a selected model payload. The model payload isselected, at least in part, based on the size of the current payloaddata received by the server 110. For example, if the current payloaddata received by the server 110 is 256 bytes, then the model payloadselected by the server 100 will at least include a range thatencompasses 256 bytes.

The server 110 compares the distributions in order to identify anonymouspayloads. Typically, an anomalous payload will have certain differencesin its statistical distribution from the model payload. According to oneor more embodiments of the present invention, the server 110 is capableof further processing the anomalous payloads or data in order todetermine if they correspond to malicious programs such as, and withoutlimitations, worms or viruses. If a worm or virus is detected, theserver 110 can optionally generate a virus pattern or worm signaturethat can be used to protect itself and other machines. For example,according to one or more embodiments of the present invention, when theserver 110 detects and generates a virus pattern (or worm signature), itautomatically updates the rules for the firewall 112 so that theidentified virus or worm will be filtered if further transmitted fromthe Internet 116, or other networks. Other (or overlapping) embodimentsof the present invention allow the server 110 to transmit the viruspatterns and worm signatures to other remote servers 118. The remoteservers 118 can be connected to server 110 through a secure and/ordirect connection as illustrated in FIG. 1. Alternatively, the viruspatterns and signatures can be transmitted through the Internet 116 tothe remote servers 118. Once the remote servers 118 receive the viruspatterns and signatures, they can update their filtering rules so thatthey can protect themselves and connected devices from maliciousapplications transmitted over the Internet 116.

According to one or more embodiments of the present invention, multipleservers (e.g., 110 and 118) can use the payload detection system 110 toidentify anomalous data. Each individual server (for example, referencenumerals 110 and 118) would perform the same techniques to identifyanomalous data, and further determine if they correspond to worms orviruses. However, because the servers 110, 118 are remotely located,they are likely to receive different data from the network, Internet116. Therefore, each server 110, 118 can potentially identify differenttypes of worms or viruses. Further, each server 110, 118 can interactand exchange information regarding virus patterns and worm signatures sothat all servers 110, 118 can update their firewall rules to filter themost recently discovered worms or viruses. Furthermore, individualworkstations 114 can implement the techniques of the present inventionor order to provide another layer of security and/or independentlyprotect themselves.

According to one or more embodiments of the present invention, theserver 110 creates the model distribution based on data received throughthe network 116. For example, the server 110 can implement varioustechniques to capture, or snoop, data it receives or transmits. Thisinformation is tabulated and used to represent the normal flow of datathrough the network. Accordingly, the normal flow of data canconceivably include noise and/or malicious programs. The server 110 cancollect the data for a prescribed period of time and subsequentlygenerate the model distribution of the data that has been collected.

FIG. 2 is a flow diagram illustrating steps performed to generate amodel payload according to one or more embodiments of the presentinvention. These steps can be performed, for example, by the server 110to generate the model payload that will be compared to payload datareceived across the network 116. At step S210, the server receives thepayload data. The payload data can be received from a plurality ofsources including, for example, other networks, the Internet, wirelessnetworks, satellite networks, etc. At step S212, a length distributionis created for the payload data that has been received. It should benoted, however, that the server can continually receive payload datauntil such time as it has collected a predetermined amount of datasufficient to construct the model payload. The length distributioncreated by the server at S212 corresponds to the distribution of lengthsof individual payloads received by the server during a training period.

Referring additionally to FIG. 3A, an example length distributiondiagram is shown. The length distribution diagram of FIG. 3A shows thedistribution of data received based on the size of the payload. Forexample, as shown in the FIG. 3A, the number of payloads having a lengthclose to zero is very low. However, the number of payloads having alength that is approximately 200 bytes is significantly higher. As thenumber of bytes is reduced, the number of payloads having such a lengthalso reduces. This can be attributed to the fact that the majority ofdata received will correspond to text and/or small files. However, thelarger files would correspond to images and/or video or sound files.FIG. 3B illustrates another length distribution of payload data, whichranges from 0 to 10,000 bytes.

Referring back to FIG. 2, at step S214, the length distribution ispartitioned. The partitioning process can be done, in part, to generatemultiple model payloads that can be selectively compared to receivedpayload data. According to one or more embodiments of the presentinvention, at least one advantage of partitioning the lengthdistribution is to reduce the amount of time necessary to calculate thedifference between the statistical distribution of the received payloadcompared to the distribution of the model payload. There are varioustechniques that can be used to partition the length distribution. Forexample, according to one embodiment of the present invention, at leastone clustering algorithm can be used to partition the lengthdistribution. The length distribution can also be partitioned usingkernel estimates.

At step S216, a statistical distribution is generated for each of thepartitions created from the length distribution. The statisticaldistribution can correspond, for example, to the frequency distributionof ASCII characters (or data) contained in the payload. Referringadditionally to FIG. 4, a statistical distribution of example payloadshaving a length of 150 to 155 bytes is illustrated. According to theexample embodiment of FIG. 4, the statistical distribution correspondsto the byte frequency count of data contained in the payload. Forexample, the x-axis represents the numerical value of the ASCIIcharacter, while the y-axis corresponds to the number of times aparticular character occurred in the payload. The y-axis may benormalized corresponding to the percentage of the number of occurrencesof a particular character or byte value.

According to one or more embodiments of the present invention, an n-gramtechnique can be used to group the bytes when generating the statisticaldistribution. Using such a technique, the variable n corresponds to aparticular byte grouping which can take on different values. Forexample, in a 2-gram distribution, adjacent pairs of bytes would begrouped together as one feature. Similarly, using a 4-gram distribution,4 adjacent bytes would be grouped as one feature. It should be furthernoted that one or more embodiments of the present invention can providefor mixed-gram distribution of the payload, as previously described. Forexample, a portion of the length distribution can be grouped with as 2bytes, while other portions are grouped as three, or four, etc. Thus,depending on the complexity of the length distribution and/or datareceived by the server, a mixed-gram distribution can be used to reducethe amount of time necessary to calculate the difference between areceived payload data and the model payloads.

According to one or more embodiments of the present invention, thestatistical distribution can be arranged in various forms. For example,a rank ordered byte frequency count can be generated from the byte valuedistribution. FIG. 5A illustrates a rank ordered byte frequency count ofcharacter distributions. In FIG. 5A, the character, which occurred mostfrequently, is mapped as character one on the x-axis. The next mostfrequently received character mapped is character two, etc. Examinationof FIG. 5A reveals that not every single ASCII character was containedin the payload data. Accordingly, in the rank ordered byte frequencygraph, the right most part of the chart is empty. Furthermore, for thesample connection length and payload data tested for this example, only29 characters were present.

FIG. 5B illustrates another exemplary rank ordered byte frequency chartfor a connection length of 150 to 155 bytes (illustrated in FIG. 4). Ascan be seen in FIG. 5B, there were more ASCII characters present in thepayload data as compared to FIG. 5A. In particular, 83 ASCII characterswere present. Thus, the rightmost portion of the graph has no values.

Referring back to FIG. 2, at step S218, the model payload(s) isconstructed. Depending on the number of partitions generated, acorresponding number of model payloads would be constructed. Forexample, if the length distribution were partitioned into 20 sections,there would be 20 separate model payloads constructed. According to oneor more embodiments of the present invention, each model payload can begenerated in the form of a payload signature string.

Referring to FIG. 6A, an example payload signature “Z-string” 150corresponding to the rank ordered byte frequency count of FIG. 5A isshown. The payload signature Z-string is a string value formed directlyfrom the statistical distribution data representing the particular bytevalues in order of frequency, from highest to lowest. Further, thepayload signature Z-strings of the present invention can have differentlengths depending on the content of the data. As shown in FIG. 6A, thepayload signature string 150 includes plurality of ASCII characters.Table 160 illustrates in further detail, the data corresponding to whichcharacters occurred with the highest frequency. As can be seen from FIG.6A, the table only includes 29 entries. This value corresponds to thenumber of characters that occurred for the sample connection length.

FIG. 6B illustrates an example payload signature string for the rankordered frequency chart of FIG. 5B. The signature string 170 is alsoshown with the corresponding table containing the values of eachcharacter from the graph. Similar to FIG. 6B, only 83 entries arepresent in the table 180. This value again corresponds to the graph inFIG. 5B.

Once the model payloads have been constructed, the server compares eachreceived payload data with the model payloads in order to identifyanomalous payloads. Further, as previously indicated, the receivedpayload data is compared to a model payload, which corresponds to thelength of the payload data. For example, if a received payload data hada length of 40 bytes, it would be compared to a payload signature stringsuch as that of FIG. 6A. Likewise, if the received payload data has alength of 153 bytes, it would be compared to a payload signature stringsuch as that of FIG. 6B.

Turning now to FIG. 7, a flowchart is illustrated for constructing modelpayloads according to one or more embodiments of the present invention.At step S250, payload data is received. This corresponds to the serverreceiving data through the network. At step S252, a length distributionis created for the payload data. As previously discussed, the serverwill receive a plurality of payload data sufficient to create modelpayloads. Once the plurality of payload data has been received, thelength distribution can be created. Alternatively, a minimum amount ofdata can be received by the server, and the length distribution can beinitially created based on this data. As data is received, the lengthdistribution would be continually updated and the model payloadsconstructed would be refined to better reflect the type of datacurrently being received through the network.

At step S254, the length distribution is partitioned into a plurality ofportions. As previously discussed, the length distribution can bepartitioned using kernel estimates and/or various clustering techniques.At step S256, a byte value distribution is created for each partition.At S258, the payload data is sorted into the different partitions. Forexample, if one of the partitions corresponds to payload data having alength of 0 to 50 bytes, then any individual payload data that fallwithin that range would be sorted into that particular partition. AtS260, a model payload is constructed for each partition.

According to one or more embodiments of the present invention, varioustechniques can be applied to construct and/or refine the model payloads.For example, as illustrated in FIG. 7, the payload data contained ineach partition can be compiled at step S262. This corresponds to a stepwhere all of the payload data in the partition is combined for furtherprocessing. Once the payloads in the partitions are compiled, a centroidis computed for each partition at step S264. The centroid can becomputed using any of a plurality of computation techniques. At stepS266, the centroid is designated as the model payload. Accordingly,using this method of refining the model payload, the centroid (i.e.,newly designated model payload) would be used to determine whetherincoming payload data is anomalous.

Alternately, at step S268, a plurality of partition length distributionsare created. A partition length distribution is simply the distributionof the data within the partition as previously discussed. Once thepartition length distribution is created, the data is clustered at stepS270 to generate a plurality of cluster distributions. At step S272, acentroid is computed for each cluster that has been generated. At stepS274, a model centroid is computed. According to one or more embodimentsof the present invention, the model centroid computed at step S274corresponds to the centroid of all the cluster centroids that werecomputed at step S272. Accordingly, the model centroid is the centroidof a plurality of centroids. At step S276, the model centroid isdesignated as the model distribution. Thus, incoming data would becompared to the model centroid in order to determine anomalous payloadsthat could potentially be a malicious program.

According to one or more embodiments of the invention, the clusteringalgorithm used in conjunction with step S270 can be a real-time,incremental algorithm, and it may not be necessary to specify the numberof clusters in advance. An initial number of clusters, K, can be set tocorrespond to the maximum possible clusters number allowable. Forexample, a value of K=10 may be sufficient to represent the number ofdifferent kinds of network payload traffic. A new payload that isanalyzed during the training phase can be used to update the statisticsof a previously computed centroid which is most similar to the newpayload. If there are no centroids yet computed, or no existingcentroids that are similar to the new payload, then the new payload isused as a new centroid. If the total number of centroids is greater thanK, then the two most similar centroids can be merged by combining theirstatistics into one distribution. When the training phase is complete,certain centroids can be pruned by only retaining those centroids thatwere computed with a specified minimum number of training payloads. Suchpruning of “under-trained” centroids can assist in the identification of“noise” in the training data which could possibly represent a “bad”payload that would otherwise not be identified during the detectionphase.

According to one or more embodiments of the present invention, theserver is further capable of aging out data that has been received sothat the model distribution being used can accurately reflect the typeof data that is currently flowing through the network. For example, atstep S278, the server can check the date on payloads that have beenreceived and used to generate the model distribution. At step S280, theserver determines if the date of a payload data is greater than, orolder than, a predetermined threshold. For example, in order tomaintain, or keep the payload profile current, it can be determined thatonly payload data received within the last six months should be used toconstruct the model distribution. Based on such an example, a payloaddata that is older than six months would exceed the threshold. If thedate of the payload data exceeds the threshold, then control passes tostep S282 where the payload data is discarded. Alternatively, if thedate of the payload data does not exceed the threshold value, then theserver simply continues receiving payload data at step S284.

According to one or more embodiments of the present invention, theserver can continually receive and process payload data to refine themodel distributions incrementally. Thus, the server would continuereceiving the payload data and control would optionally pass to stepS252 where a new length distribution would be created. Furthermore, oneor more embodiments of the present invention can set a time frame forwhich the server would be required to generate a new model distribution.Thus, once the timeframe has expired, the server would collect data andcreate a new length distribution at step S252 and redefine the modelpayloads.

Automatic Training and Calibration

According to one or more embodiments, the present invention can performautomatic training and calibration. The present invention is alsocapable of stopping automatically when it has been sufficiently trained.For example, a training process can be designed such that it is fullyautomated. An epoch size and threshold can be established once, and thesystem would independently decide when sufficient training has beenreceived. The epoch corresponds to a predetermined length of time or apredetermined amount of data. Furthermore, the training and calibrationcan be performed based, for example, on user-specified thresholds.Alternately, the system could determine an initial threshold for eachpayload model by testing training data and choosing the maximum distancevalue, for example. The number of packets captured for each epoch canoptionally be adjusted by the user. After each training epoch, newmodels that have just been computed are compared to the models computedin the previous epoch. The training ends when the models become“stable”.

FIG. 8 is a flowchart illustrating the manner in which the server candetect when sufficient payload data has been received to construct themodel payload according to one or more embodiments of the presentinvention. At step S310, the server would define a current epoch. Anepoch corresponds to a predetermined length of time during which datacan be, or is being, received. At step S312, the server would receivepayload data in the normal fashion. At step S314, a current payloadmodel is constructed by the server. The current payload modelcorresponds to a payload model for all the payload data that has beenreceived during the current epoch.

At step S316, the current payload model is compared to a previouspayload model. Accordingly, during the first epoch, there would be noprevious payload model to which the current payload model can becompared. In one or more embodiments of the present invention, theserver can be provided with an initial payload model that has previouslybeen collected. Thus, during the first iteration, the current payloadmodel would be compared to the saved initial payload model. Thecomparison between the current payload model and the previous payloadmodel can be done in many ways including, for example, calculation of astatistical distance between the two different distributions.

At step S318, it is determined if the distance between the currentpayload model and the previous payload model is less than apredetermined threshold. If the distance is less than the predeterminedthreshold, then sufficient data has been collected to construct thepayload model. The process stops at step S320. Accordingly, the currentpayload model would be used as the model payload for comparing theincoming payload data. Alternatively, if the distance is greater thanthe threshold value, then a new epoch is defined at step S322. At stepS324, the current payload model is designated as the previous payloadmodel. Control then returns to step S312 where the server receivespayload data for the new epoch which has been set at step S322. Theprocess repeats iteratively until the distance between the currentpayload model and the previous payload model is less than the thresholdvalue.

According to one or more embodiments of the present invention, thestability for each model for each port can be decided by two metrics:the first is the number of new models (before clustering) produced in anepoch; the second is the simple Manhattan distance of each model afterthe current epoch to the one computed in the previous training epoch. Ifboth metrics are within some threshold, the models are considered stableand training is stopped. If multiple ports are being monitored, anadditional metric can be used. This additional metric can examine thepercentage of the stable ports out of the total ports being monitored.If the percentage of stable ports is higher than some user-definedthreshold, the whole training process is concluded. Models of the“unstable” ports could optionally be discarded because they are not welltrained and shouldn't be used for anomaly detection during testing.

Once the training is complete, an anomaly threshold can be determined.Instead of using a universal threshold for all the centroids, onedistinct threshold is selected for each. Such fine-grained thresholdscan improve the accuracy. This can be accomplished in various ways. Forexample, sampling can be performed during the training phase. Thesamples can then be used to help decide the initial thresholds usedduring detection time automatically. During the training process, abuffer of payload samples is maintained for each centroid. There areminimum and maximum number of samples, and a sampling rate s %. Beforereaching the minimum number, every packet payload in this bin will beput into samples. Each payload then has a probability, s, of being putinto buffered samples. After filling the buffer to its maximum size, afirst in first out (FIFO) style buffering is used. The oldest one willbe rotated out when a new sample is inserted. After the whole trainingphase is finished, the samples are computed against the centroid and themaximum distance is used as the initial anomaly threshold for thatcentroid. Because of the FIFO style sampling, the computed thresholdreflects the most recent payload trend, and performs an adaptivelearning to accommodate concept drift. This means the models, and thecalibrations are computed to favor the more recent environment in whichthe system has been embedded.

At the very beginning of testing, the present invention can also run inepochs. After each epoch, the generated alert rate is compared againstsome user-defined number. If the total alert rate is too high, thethreshold will be increased by t % and starts the next epoch. Such acycle repeats until the alert rate reaches the desired rate. After thiscalibration phase, the system would be considered stable and ready torun in detection mode. It should be noted that the system continues totrain a new model to keep the models refreshed and up to date to reflectthe latest environment.

Detecting Anomalous Payloads

FIG. 9 is a flow diagram illustrating the steps performed to detectanomalous payloads transmitted through a network according to one ormore embodiments of the present invention. At step S350, the serverreceives payload data from the network. This corresponds to data thatcan be received, for example, from either an external, internal,wireless, or satellite network, etc. At step S352, the server determinesthe length of data contained in the payload. At step S354, a statisticaldistribution is generated for the data contained in the payload. Forexample, the server would analyze the data contained in the payload andgenerate, for example, a statistical distribution of charactersoccurring in the data, as previously discussed. At step S356, thestatistical distribution of the payload data is compared to a modeldistribution. For example, the server would contain a plurality of modeldistributions, as previously discussed, that can be retrieved andapplied to appropriate sizes of payloads. At step S358, the serveridentifies anomalous payloads as those payloads that, for example, aresufficiently different from the model distribution based onpredetermined user criteria. Accordingly, any payload that is identifiedas anomalous would be either discarded or further analyzed.

FIG. 10 is a flowchart illustrating the manner in which anomalouspayloads can be detected according to one or more embodiments of thepresent invention. At step S410, the payload is received by the server.At step S412, the server determines the length of data contained in thepayload. At step S414, a statistical distribution is generated for thepayload data. According to one or more embodiments of the presentinvention, the payload data can be distributed using, for example, ann-gram or mixed-gram distributions. This is illustrated at step S416.According to one or more embodiments of the present invention, variousweight factors can be assigned to different byte values in thestatistical distribution. This is illustrated at step S418. The variousweight factors are selected so that byte values that can possiblycorrespond to operation codes of a computer or network device areweighted higher, and thus examined with greater scrutiny. The weightfactors can, at least in part, improve the server's ability to detectmalicious programs such as worms that execute various operation codes ofthe computer or device. For example, the operation codes can be machinecode for jump instructions, or to script language characterscorresponding to arithmetic operations and so forth.

According to such embodiments of the invention, anomalous payloads witha higher likelihood of containing malicious computer code can be quicklyidentified. Thus, when an alert is generated for some payload, thatpayload can optionally have a separate test to determine if it containsbyte values of special interest, or alternatively, the scoring of apayload could be changed to increase its “distance” from the normaldistribution if it contains “distinguished” byte values. Accordingly,the Mahalanobis distance can be modified to account for the weightedvalues, or a different distance function that factors the weightingcertain byte values can be used. At least some of the benefits of suchembodiments include: improved accuracy in identifying malicious code,reduction of false positives, and assistance in quickly identifying apayload anomaly as a true zero day exploit or worm.

At step S420, a model distribution is selected by the server. The modeldistribution is selected such that it encompasses the length of datacontained in the payload. For example, as previously discussed, if oneof the model distributions corresponds to a payload length of 150 to 155bytes, then any received payload data having a length falling withinthat range would be compared to that model distribution. At step 422, itis determined whether the profile of the model distribution is adecaying profile. This can occur, for example, in situations where themodel distribution is arranged in a rank ordered byte frequency count.Thus, the first entries would have a greater value, which decays to asmall value toward the end of the chart.

As previously indicated, the computational complexity is linear in thelength of the connection. To make it faster, the computation can bestarted from the tail of the character frequency distribution and stopimmediately if the distance is larger than the threshold, for bothMahalanobis distance and the string edit distance. The tail part of thedistribution are those characters that never occurred in the trainingdataset (those with zero frequency), or those that very seldom appeared(a very low frequency). If such characters appear in the test data,there is a high probability that the data is anomalous and therefore maybe malicious. Accordingly, the time to detect the malicious connectioncan be reduced.

Accordingly if the model distribution has a decaying profile then atstep S424, the server selects an option to compute the distancemeasurement from the end of the distribution. Alternatively, if themodel distribution does not have a decaying profile, then at step S426,the server selects the option to measure the distance from the start ofthe model distribution. The distances measured at step S424 and S426corresponds to the comparison made with the model distribution todetermine the differences between the received payload data and themodel distribution. As previously discussed, various techniques can beused to calculate the distance between the two distributions. At stepS428, it is determined if the distance is greater then a predeterminedthreshold value. For example, the threshold value would correspond to aminimum distance allowed between the received payload and the modeldistribution. If the distance is less than the threshold value, then theserver identifies the payload data as normal data at step S430.Alternatively, if the server determines that the distance exceeds thethreshold value, then the payload is identified as being anomalous atstep S432. If the payload is considered to be a normal payload at stepS430, then it is simply directed to the identified destination and theprocess ends at step S444. However, for payloads that are determined tobe anomalous, the server can perform additional tests to identifyvarious characteristics of the data contained in the payload.

For example, at step S434 the server determines whether the payloadcorresponds to a malicious programs, such as, for example, a worm orvirus. This can be done in various ways. For example, the server cancompare various features of the payload data to known worm or virussignatures. Alternatively, the payload data can be transmitted to acontrolled site where the program may be allowed to execute, or it maybe emulated, so that it can be determined whether the program is in factmalicious.

According to one or more embodiments of the present invention, theserver can identify the longest common string, or longest commonsubsequence, found in payloads that are considered to be anomalous. Ifinbound (or ingress) packets or payloads are deemed anomalous, andoutbound (or egress) packets or payloads are deemed anomalous, and theinbound packets have the same destination address as the outboundpackets, then the payloads can be compared to determine the longestcommon strings, or the longest common subsequences of both anomalouspayloads. Based on the longest common string, or the longest commonsubsequence, the host would generate a signature which identifies theparticular worm or virus and serves as a content filter for the worm orvirus. If the anomalous data is determined not to be in fact a worm orvirus, then it is discarded at step S436 and the process ends for thatparticular payload data. Alternatively, if the payload is determined tobe a worm or virus, then the signature is generated at step S438. Atstep S440, any virus patterns or worm signatures that have beengenerated by the server are transmitted to other servers, routers,workstations, etc. for content filtering.

According to one or more embodiments of the present invention, theserver can automatically adjust the threshold value to assist and/orimprove the ability to detect anomalous payload data. This isillustrated at step S442. For example, one method of automaticallyadjusting the threshold value requires that the server set an alertthreshold. The alert threshold would correspond to a predeterminednumber of alerts that the server would generate. Each alert wouldcorrespond to one anomalous payload data. Thus, if the alert thresholdis 100 for a one hour period of time, then the server wouldautomatically adjust the threshold if 100 alerts are not generatedwithin a one hour period of time. The server can also have a margin oferror such as, for example, ±5 alerts. Therefore, if the servergenerates 95 to 105 alerts within an hour period no adjustment is made.However, if the server generates only 80 alerts within the time period,this would suggest that the threshold value is too high and the distancebetween received payloads and the model payloads is not long enough toexceed the threshold. Therefore, the server would reduce the value ofthe threshold so that a greater number of alerts would be generated.Alternatively, if the server is generating a greater number of alerts,such as 150, then the threshold can be increased so that fewer alertsare generated.

FIG. 11 is a graph showing the distance of various payload data from themodel distributions. The plurality of the payload data fall within apredetermined distance from the model payload. However, the code redworm has a distance which far exceeds the general clustering of normalreceived payloads. Thus, in this situation, the server would easilyidentify the code red worm as a potential attack on the server.

For the example shown in FIG. 11, the actual payload of the Code Redworm was used as the target for detection to show how effective thistechnique can be at detecting zero day worm and viruses. The trainingdata was sniffed from the web traffic to a web server over a 24 hourperiod of time. The training payloads were partitioned into differentsubsets according to their length partitioning, and the normal modelswere computed. The Code Red payload was then analyzed. The distributionof byte values in its payload was computed, and compared to the normalpayload profile distribution.

The graph in FIG. 11 shows the simplified Mahalanobis distance ofconnections within length range 380-385, for both the normal connectionsand the Code Red attack. As can be seen, the Code Red attack connectionhas a much larger distance than all the other normal connection.Accordingly, given a predetermined threshold, it can easily be detectedas something malicious and rejected without damaging the web server. Thethreshold can be set during the training phase. One possible value isthe maximum of the training data's distance values plus some tolerance.Using this technique, the host can be protected from the virus/wormseven before any virus signature is released.

Instead of using the distance metrics to compute the similarity, the“normal payload signature Z-string” can also be used to achieve the samegoal. Having the profile “signature Z-string” and the byte string of newconnection data to be tested, a simple string edit distance can be usedto get their similarity score. The string edit distance just counts howmany characters are misplaced from the profile signature string. Oneadvantage of the string edit distance is the fact that it doesn'tinvolve any numerical computation but just equivalence comparison ofstrings. This can result in a very fast distance calculation.

Exemplary Usage of the Invention Network Appliances

One or more embodiments of the present invention may be implemented on acomputer system that passively sniffs and audits network traffic on acomputer network, or may be implemented on the same computer operating anetwork firewall, or may be implemented on a host or server computer forwhich a profile has been computed. One or more embodiments envisionbuilding a network appliance capable of computing normal payload modelsfor a multitude of services and ports, for both inbound and outboundtraffic. The appliance may distribute anomaly detection models to afirewall for filtering traffic to protect any service on the network.Alternatively, the payload detection system can be implemented on anetwork interface card of a host or server computer without the need toinstall new software on the server or host, or to install a newappliance or device on the network system.

Incremental Learning

According to one or more embodiments of the present invention, a 1-grammodel with Mahalanobis distance can be implemented as an incrementalversion with only slightly more information stored in each model. Anincremental version of this method can be particularly useful forseveral reasons. First, a model may be computed on the fly in a“hands-free” automatic fashion. That model will improve in accuracy astime moves forward and more data is sampled. Furthermore, an incrementalonline version can also “age out” old data from the model keeping a moreaccurate view of the most recent payloads flowing to or from a service.

One or more embodiments of the present invention allow older examplesused in training the model to be aged out. This can be accomplished, atleast in part, by specifying a decay parameter of the older model andemphasizing the frequency distributions appearing in the new samples.This allows automatic updating of the model to maintain an accurate viewof normal payloads seen most recently.

Computation of the incremental version of the Mahalanobis distance canbe accomplished in various ways depending on the specific implementationof the present invention. For example, the mean and the standarddeviation is computed for each ASCII character seen for each new sampleobserved. For the mean frequency of a character, x=Σ_(i=1) ^(N)x_(i)/Nis computed from the training examples. Optionally, the number ofsamples processed, N, can be stored. This allows the mean to be updatedas

$\overset{\_}{x} = {\frac{{\overset{\_}{x} \times N} + x_{N + 1}}{N + 1} = {\overset{\_}{x} + \frac{x_{N + 1} - \overset{\_}{x}}{N + 1}}}$

when new sample is observed. Since the standard deviation is the squareroot of the variance, the variance computation can be rewritten usingthe expected value E as:

Var(X)=E(X−EX)² =E(X ²)−(EX)²

The standard deviation can be updated in a similar way if the average ofthe x_(i) ² in the model is also stored.

According to such embodiments of the present invention, only oneadditional 256-element array needs to be maintained in each model thatstores the average of the x_(i) ² and the total number of observationsN. Thus, the n-gram byte distribution model can be implemented as anincremental learning system easily and very efficiently. Maintainingthis extra information can also be used in clustering samples asdescribed in greater detail below.

Reduced Model Size by Clustering

As previously discussed, a model M_(ij) is computed for each observedlength bin i of payloads sent to port j. Under certain circumstances,such fine-grained modeling might introduce problems. For example, thetotal size of the model can become very large. This can occur when thepayload lengths are associated with media files that may be measured ingigabytes and many length bins are defined. Consequently, a large numberof centroids must be computed. Further, the byte distribution forpayloads of length bin i can be very similar to that of payloads oflength bins i−1 and i+1; because they vary by one byte. Storing a modelfor each length can sometimes be redundant and wasteful. Another problemis that for some length bins, there may not be enough training samples.Sparseness implies the data will generate an empirical distribution thatwill be an inaccurate estimate of the true distribution leadingpotentially to a faulty detector that generates too many errors.

The anomaly detection system of the present invention provides variouspossible solutions to address these problems. According to one or moreembodiments of the present invention, one solution for addressing thesparseness problem is relaxing the models by assigning a highersmoothing factor to the standard deviations. This can allow highervariability of the payloads. At least one additional (or overlapping)embodiment of the invention “borrows” data from neighboring bins toincrease the number of samples. In other words, data from neighboringbins is used to compute other “similar” models. Two neighboring modelscan be compared using the simple Manhattan distance to measure thesimilarity of their average byte frequency distributions. If theirdistance is smaller than some threshold t, those two models are merged.This clustering technique is repeated until no more neighboring modelscan be merged. This merging can also be computed using the incrementalalgorithm described before. As previously discussed, such a techniqueinvolves updating the means and variances of the two models to produce anew updated distribution.

For a new observed test data with length i sent to port j, the modelM_(ij), or the model it was merged with can be used. If the length ofthe test data is outside the range of all the computed models, then themodel whose length range is nearest to that of the test data is used. Inthese cases, the mere fact that the payload has such an unusual lengthunobserved during training may itself be cause to generate an alert.

It should be noted that the modeling algorithm and the model mergingprocess are each linear time computations, and hence the modelingtechnique is very fast and can be performed in real time. Additionally,the online learning algorithm assures that models will improve overtime, and their accuracy will be maintained even when services arechanged and new payloads are observed.

Correlated Ingress and Egress Traffic to Detect Worm Propagation andGenerate Signatures

Self-propagation is one key feature and necessary condition for worms.Self-propagation means that once a worm infects a machine, it will startto attack other machines automatically by attempting to send a copy ofitself, or a variant thereof, to another susceptible host. For example,if a machine gets infected by worm Code Red II from some requestreceived at port 80, then this machine will start sending the samerequest to port 80 of other machines. Such propagation pattern is truefor almost every worm. So if some egress traffic to port i that is verysimilar to those anomalous ingress traffic to port i can be detected,there is a high probability that a worm aiming at port i is propagatingitself.

According to one or more embodiments of the present invention, incomingmalicious traffic can be detected, and an alert generated. At the sametime, the payload can be provided as a string in the buffer for port i,and compared to the outgoing traffic against all the strings to seewhich return the highest similarity score. If the score is higher thansome predetermined threshold, a possible worm propagation is presumed.In addition, the present invention can be implemented on a servermachine such as, for example a web server. Web servers generally have alarge amount of incoming requests but outgoing requests are typicallyunlikely. So any outgoing request is already quite suspicious, andshould be compared against the malicious strings. If the host machine isworking as both server and client, which means both incoming requestsand outgoing requests are common, the same modeling technique would beapplied to the outgoing traffic and only used to compare egress trafficalready judge as malicious.

One or more embodiments of the present invention also provide multiplemetrics which can be used to decide the similarity between two strings.The most common ones are longest common substring (LCS) or longestcommon subsequence (LCSeq). The difference between them is: the longestcommon substring is contiguous, while the longest common subsequenceneed not be. LCSeq has the advantage of being able to detect“polymorphic” and “metamorphic” worms; but they may introduce falsepositives. Other techniques such as probability modeling methods thattake into account context dependent substring sizes can also be appliedby the present invention. The similarity score returned is thepercentage of the common part's length out of the total length of themalicious payload string. An alternative (or overlapping) implementationto compute a signature would be to compute the set of (at least one)most frequently occurring substrings within the payload appearing in twoor more examples of anomalous data.

According to one or more further (or overlapping) embodiments, thepresent invention can be used to automatically generate worm signatures.By computing the similarity score, the matching substring orsubsequence, which represents the common part of the ingress and egressmalicious traffic are also computed. Since the traffic being compared isalready judged as malicious, which means the payload is quite differentfrom the normal ones, these common strings represent the worm's contentsignature. Thus, by correlating the ingress and egress maliciouspayload, the present invention is capable of detecting the very initialworm propagation, and identifying its signature or partial signatureimmediately without any external involvement. This helps to solve thezero-day worm problem. Such signatures may then be communicated to otherhosts and devices for content filtering to eliminate any furtheroccurrence of the worm infecting any other hosts on the network.

More Accurate Worm Detection by Collaborative Security

According to one or more embodiments of the present invention, theanomaly detection system can be implemented on multiple hosts anddevices on a network. The hosts and devices can then collaborate witheach other, for example, by exchanging alerts and possible wormsignatures. Accordingly, a worm can be quickly identified and preventedfrom spreading because multiple hosts report the same worm signature toeach other. The signature can then be announced in order to applycontent filtering quickly all over the network. Using such collaborativesecurity strategies, it is possible to reduce the likelihood that wormscan spread throughout and occupy the network.

Identifying Files

There are various complications that can result from networkedenvironments, some relating to the fact that the network may be used inan office environment. Compounding these problems are the high speeds atwhich data can be transmitted across multiple networks. Consequently,network operations and/or security personnel may wish to know howcomputers in the network are actually used and what types of data arecommunicated among hosts inside and outside the network. This canentail, for example, determining the types of files and media beingtransmitted among computers (and users) within the network. While mosttransmissions are generally harmless, they can sometimes provide anavenue for spreading malicious programs such as viruses and worms.Furthermore, some employers maintain confidential and/or personalinformation that should not be disseminated outside the workplace. Suchemployers often enact policies that warn employees not to transmitcertain files and/or information to computers outside of the companynetwork. It can also be the case that employers do not wish certain filetypes to be received from (or transmitted to) external networks orcomputers.

In order to enforce some of these policies, traffic through the companynetwork is typically monitored so that certain files can be blocked orexamined. For example, an email attachment “Patent25.doc” may beexamined if Word documents should not be transmitted to externalcomputers. However, it is relatively simple to mask (or hide) the truetype of a file by simply changing the extension associated with thefile's name. Hence, a user can easily circumvent the security policy bychanging the name of the file from Patent25.doc to HolidayPictures.jpg,for example. Alternatively, the file could be given a different suffixindicative of, e.g., an image file, and transmitted outside the network.Once received, the recipient could rename the file to Patent25.doc, andopen it with, for example, Microsoft Word. Conversely, an incoming emailattachment can be a virus or worm that has been renamed to, for example,Patent25.doc. Once opened, the virus could cause damage to the computersystem.

FIG. 12 is a block diagram illustrating certain situations where filesmay be transmitted to a user covertly or under false pretense. Forexample, the workstation 114 is connected to a network such as theInternet 116. Three different file attachments have been transmitted tothe workstation. The first file attachment 150 has the file name“hello.doc”. This file is presumed to be a Microsoft Word file. However,such is not the case. The file is in fact a virus (sobig.exe) that hasbeen renamed to appear as a Word document. The second file attachment152 is entitled “junk.zip”. This file may not necessarily be renamed,but is in the form of an archive file that can contain multiple archivedcontents. The archived contents cannot be seen until the archive file152 is accessed or opened. There are situations where an operatingsystem or mail program may automatically access the archive file 152 assoon as it is received. Thus, if a virus is contained within the archivefile 152, it can automatically be released. The third attachment 154 isentitled “document.pdf” so that it will not be identified as a Wordfile. However, the file was originally named “contract.doc”. All of thefiles can present potential problems to the workstation 114.

FIG. 13 illustrates a method of identifying file types being transmittedthrough a network according to one or more embodiments of the presentinvention. At step S510, a transmission is received through the network.The transmission can be a conventional email message, and can includevarious types of information such as, for example, text, attachments,etc. At step S512, it is determined whether the transmission containsany files. The files can be included in the transmission as part of anattachment to the email message. If the transmission does not includeany files, then control passes to step S526 where the process ends.However, if it is determined that the transmission contains one or morefiles, then at step S514, a statistical distribution is generated fordata contained in each of the files in the transmission.

At step S516, a model distribution is selected. The model distributioncorresponds to one or more statistical distributions that have beengenerated for predetermined file types. For example, a particular modelfile distribution could be generated for a .gif file. Similarly, a modeldistribution could be generated for a .pdf file, a .doc file, a .jpegfile, etc., using concepts previously described and/or those describedbelow. Referring additionally to FIGS. 14A-141, model distributions ofvarious file types are illustrated. At step S518, the distance betweenthe statistical distribution for the file is measured against the modeldistribution. As previously discussed, various methods can be used tomeasure the distance including, but not limited to, the Mahalanobisdistance. Additionally, if the transmission contains more than one file,then the distance test would be applied to each file contained in thetransmission. At step S520, it is determined whether the distancebetween the received file and the model distribution is greater than apredetermined threshold. If this distance is greater than the threshold,then control passes to step S522. If the distance is less than thethreshold, then control passes to step S524. At this point, the receivedfile can be identified as being of a particular type. For example, thetype for the model distribution is already known. Thus, the receivedfile can be determined to be of the same type as the model distribution.Control would then pass to step S526 where the process ends.

At step S522, it is determined whether there are additional modeldistributions. If there are no more additional model distributions, thenthe process also ends without having identified, or being able toidentify, the type of the received file. However, if there areadditional model distributions available, then control returns to stepS516 where the next model distribution is selected. The process wouldcontinue until the received files are tested against all of the modeldistributions and either a type is determined or a type cannot bedetermined. According to one or more embodiments of the presentinvention, if the type for the file cannot be determined, then the filecan be discarded or identified as a potential virus or maliciousprogram.

FIG. 15 is a flowchart illustrating a method for modeling file types inaccordance with one or more embodiments of the present invention. Atstep S550, a plurality of files are collected. The files are known tohave a particular type and/or created as such types. For example, aplurality of .pdf files can be collected, or a plurality of .doc files,.jpeg files, .gif files, etc. As long as all of the files are of thesame type, they can be used to generate the appropriate model. At stepS552, a statistical distribution is generated for each of the files thathave been collected. At step S554, the statistical distributions arecombined. This can be accomplished in a variety of ways including, forexample, simple addition of the distribution for each file collected.

At step S556, a plurality of clusters is formed for the statisticaldistributions. At step S558, a centroid is computed for each clusterformed for the statistical distributions. At step S560, a model centroidis computed. The model centroid corresponds to the centroid of theplurality of cluster centroids computed at step S558. At step S562, themodel centroid is designated as the model to represent the particularfile type. Accordingly, if .pdf files are being modeled, then the modelcentroid would correspond to a model distribution for .pdf files. Atstep S566, the process ends. According to one or more embodiments of thepresent invention, the model file type can also be based on the combinedstatistical distribution for all the files that have been collected.This is illustrated at step S564. Thus, the combined statisticaldistributions of the collected file would be assigned as the modeldistribution for the particular file type.

FIG. 16 is a flowchart illustrating steps performed to verify file typesaccording to one or more embodiments of the present invention. At stepS610, the file is received. The file can be received from any of aplurality of sources including, for example, general networktransmissions, electronic mail, or portable media. At step S612, astatistical distribution is generated for the file. At step S614, themodel distribution corresponding to the received file type is retrieved.For example, if the received file type is tagged (or designated using aparticular extension) as a jpeg file, then the appropriate modeldistribution for a jpeg file would be retrieved. At step S616, thestatistical distribution for the received file is compared to the modeldistribution retrieved at step S614. At step S618, it is determinedwhether the statistical distribution for the received file is within thetolerance limit of the model distribution. More particularly, thedistance between the statistical distribution for the received file andthe model distribution is reviewed to determine whether it falls withinthe tolerance threshold.

If the distance for the statistical distribution for the received fileis within the tolerance, then the file can be confirmed as being of thetype specified in the file name. This is illustrated at step S620. Theprocess would thus end upon confirming the type of the received file.Alternatively, if the distance of the statistical distribution for theretrieved file is not within the tolerance, then an alert can begenerated to indicate that the file is actually not of the typespecified in the file name. This is indicated at step S622. At stepS624, the file can either be blocked or discarded from furthertransmissions through the network or workstation.

According to one or more embodiments of the present invention, upondetecting that a file is inappropriately named, and corresponds to adifferent file type, further testing can be performed to determine ifthe file is actually a virus purporting to be of a different file type.Control would then return to step S624 where the file can again beblocked or discarded from further propagation through the network. Theprocess then ends at step S628.

FIG. 17 is a flowchart illustrating steps performed to detect and/oridentify malicious programs, such as viruses and worms, according to oneor more embodiments of the present invention. At step S650, atransmission is received through the network or at a workstation. Thetransmission can be a transmission across a network between multiplecomputers, within the network, etc. Additionally, the transmission cancorrespond to internal transmissions of data within a single machine.For example, the transmission can correspond to reading of a file from aportable medium into the memory of the workstation.

At step S652, it is determined whether there are any files attached tothe transmission. If no files are attached to the transmission, then theprocess ends. If any files are present in the transmission, then controlpasses to step S654. Information regarding the type of each file isretrieved. The information can be retrieved, for example, by examiningthe extension in the file name. At step S656, a statistical distributionis generated for the file. At step S658, the model distributioncorresponding to the type of the file is retrieved. At step S660, thestatistical distribution for the file is compared to the modeldistribution retrieved. At step S662, it is determined whether thestatistical distribution for the file is within the tolerance threshold.If so, then the file is likely not a virus and would be identified assuch at step 664. However, if a statistical distribution for the file isnot within the tolerance, then the file is identified as a virus at stepS666. At step S668, the statistical distribution for the file can becompared to any known virus statistical distributions.

According to one or more embodiments of the present invention, variousweight factors can be assigned to different byte values within thestatistical distribution. This is illustrated at step S670. Aspreviously discussed, higher weight factors can be assigned to bytevalues that can possibly correspond to machine execution codes, scriptfiles, and/or other programs that can cause damage to the machine. Atstep S672, it is determined whether the statistical distribution for thefile matches any of the virus distributions. If there is a match, thenthe virus type is identified at step S674. If no match is found, thencontrol passes to step S676. Data contained in the file is examined inorder to identify information regarding the virus. At step S678, anycommon strings or subsequences within the file are identified. At stepS680, the common strings or subsequences are used to generate asignature for the virus. At step S684, the process ends. According toone or more embodiments of the present invention, rather than examiningthe data in the file to generate a signature, the statisticaldistribution for the file can be used as a signature string (ordistribution). This is illustrated at step S682, where a distributionbased signature is generated for the file (i.e., the identified virus).

Tracing Transmission Origin

According to one or more embodiments, the present invention can be usedto address various problems associated with the use of large networkssuch as the Internet. One such problem involves the use of steppingstone proxies. These proxies are used by attackers (or hackers) to hidetheir true locations while launching attacks against various machines.Oftentimes, an attacker will initiate the attack from a “drone” machinethat has previously been hacked and taken control of. These dronemachines can subsequently launch denial of service attacks on variouscommercial computers, servers, websites, etc. Furthermore, the attackercan cause one drone machine to activate a second drone machine therebyinitiating an attack. Once the attack is initiated, the target computeronly sees information from the machine transmitting the attack command.

Since the attacker has taken control of the drone computer, the targetcomputer would only see the IP address of the drone computer causing theattack. Hackers can use multiple levels, or stepping stone proxies, fromwhich to launch such attacks. This makes it increasingly difficult totrace back the location of the actual attacker. To further complicatethe situation, the drone computers can be given specific times forautomatically contacting another drone and/or initiating an attack.

FIG. 18 illustrates one type of stepping stone situation. The attacker200 initiates an attack against a target computer 250. The targetcomputer can be in the same vicinity, country, or state of the attacker.However, the attacker can also be located anywhere in the world where aconnection is provided to the Internet. According to the situation inFIG. 16, the attacker has taken control of four drone computers. Theseinclude the step 1 drone 210, step 2 drone 220, step 3 drone 230, andstep 4 drone 240. All of these drone computers are in the control of theattacker. As previously discussed, during normal network connections amachine can only see information being transmitted from the immediatelyprior machine. For example, the target computer 250, which is theultimate destination of the attack, only sees information beingtransmitted from the step 4 drone 240. Thus, the target computer 250believes an attack is being launched from the step 4 drone 240. Likewisethe step 4 drone 240 sees information related to the step 3 drone 230.Working backwards, the step 3 drone 230 sees an attack being initiatedby the step 2 drone 220. The step 2 drone 220 sees an attack beinginitiated by the step 1 drone 210. The only computer within theconnection link that knows the true address of the attacker 200 is thestep 1 drone 210.

According to one or more embodiments of the present invention, thelocation of the attacker can be determined by analyzing the statisticaldistribution for data payloads transmitted through the multiple dronecomputers. The drone computers are connected to each other across anetwork via a number of service providers 260. Each service provider 260maintains a connection record 270 that contains information regardingtransmissions across the network. The connection record 270 can include,for example, the IP address 272 of the computer system transmittinginformation, the destination address 274 of the computer system wherethe information will be delivered, and the actual information 276 beingdelivered. In order to minimize the amount of information contained inthe connection record, a statistical distribution can be generated foreach data payload 276 that is transmitted. Thus, the statisticaldistribution can be configured such that it is stored within a short,for example 256 byte string, as previously discussed with respectvarious embodiments of the invention. This allows the service provider260 to capture and store information regarding the vast number oftransmissions passing through, without wasting storage space. As will bediscussed in greater detail below, the information maintained by theservice provider can be used to trace back the physical location of theattacker initiating the attack on the target machine. In addition, thestatistical distribution can be generated for the entire connectionrecord 270, or only a portion thereof.

FIG. 19 is a flowchart illustrating the steps performed to trace theorigin of a transmitted message according to one or embodiments of thepresent invention. At step S710, connection records are created by theservice provider. As previously discussed, the connection records caninclude, for example, an address of a previous computer system, a datapayload, and an address for a subsequent computer system. At step S712,the connection records are examined, and statistical distributions aregenerated for data contained in each connection record. At step S714, asuspect payload is identified at an end target computer. Moreparticularly, the suspect data payload can correspond to, for example, amalicious program that was used to either infect or initiate an attackon the target computer system. At step S716, a statistical distributionis generated for the suspect data payload. At step S718, the end targetcomputer is designated as a suspect computer.

At step S720, the statistical distribution for the suspect data payloadis compared to the statistical distributions of data payloads generatedat step S712. At step S722, it is determined whether the distance of thesuspect data payload distribution is within the tolerance threshold tothe current connection record's distribution. If it is within thetolerance, then a match can be identified. If the statisticaldistribution for the suspect payload is not within the tolerance, thenat step S724, it is determined whether there are additional connectionrecords. If there are additional connection records, then controlreturns to step S720 where a comparison is made to the next connectionrecord. If there are no more connection records then the process wouldend. However, if the statistical distribution for the suspect payload iswithin the tolerance, then at step S726, the identity of the previoussender is identified. This can be done, for example, by examining theconnection record from which the distribution was generated. Within theconnection records the address of the sender and destination computersystems are identified. Thus, the suspect computer system would be thedestination address and the previous sender's address would beidentified.

At step S728, it is determined whether the previous computer system isthe original sender of the transmission. If the previous computer systemis the original sender of the transmission, then the identity of theoriginal sender is obtained and the process ends. However, if theprevious sender's address does not correspond to the original sender ofthe transmission, then control passes the step S732. The previouscomputer is designated as the suspect computer. Control then returns tostep S720 where the statistical distribution for the suspect payload iscompared to the statistical distribution for connection records storedby the newly designated suspect computer. The process can repeatbackwards through multiple computer systems until the original sender ofthe transmission is identified.

The anomaly detection system of the present invention can also beimplemented on computers and servers using various operating systemssuch the Windows line of operating systems, Linux, MacOS, etc. Thenecessary program code can also be produced using any programminglanguage such as C++, C#, Java, etc.

The many features and advantages of the invention are apparent from thedetailed specification, and thus, the appended claims are intended tocover all such features and advantages which fall within the true spiritand scope of the invention. Further, since numerous modifications andvariations will become readily apparent to those skilled in the art, theinvention should not be limited to the exact construction and operationillustrated and described. Rather, all suitable modifications andequivalents may be considered as falling within the scope of the claimedinvention.

1. (canceled)
 2. A method of tracing the location of an origin computersystem that initially transmits a suspect data payload across a computernetwork to an end target computer system, the method comprising:retrieving, using a hardware processor, a connection record thatcontains transmission information with a first computer system acrossthe computer network; generating, using the hardware processor, astatistical distribution of data contained in a data payloadcorresponding to the connection record; determining, using the hardwareprocessor, a first distance between the statistical distribution of datacontained in the data payload and a model distribution of data containedin normal payloads transmitted across the computer network; identifying,using the hardware processor, the data payload as a suspect data payloadbased on the first distance; and designating, using the hardwareprocessor, the first computer system as a suspect computer system inresponse to identifying the suspect data payload.
 3. The method of claim2, wherein the statistical distribution of data contained in the datapayload corresponding to the connection record is a rank ordered bytefrequency count of the data contained in the data payload.
 4. The methodof claim 2, further comprising selecting the model distribution from aplurality of model distributions based at least in part on a length ofthe data contained in the data payload.
 5. The method of claim 2,wherein the first distance is calculated based on a Mahalanobis distancebetween the model distribution and the statistical distribution of thedata contained in the data payload.
 6. The method of claim 2, furthercomprising assigning different weight factors to selected byte values ofthe statistical distribution of the data contained in the data payload.7. The method of claim 2, wherein higher weight factors are assigned tobyte values corresponding to operational codes of the first computersystem.
 8. The method of claim 2, further comprising: determining that asecond distance between the statistical distribution and anotherconnection distribution falls within a given tolerance; determiningaddress information associated with the another connection recorddistribution; identifying a second computer system based on the addressinformation associated with the another connection record distribution;and designating the second computer system associated with the anotherconnection record as the suspect computer system.
 9. A system fortracing the location of an origin computer system that initiallytransmits a suspect data payload across a computer network to an endtarget computer system, the system comprising: a memory; and a hardwareprocessor that, when executing computer executable instructions storedin the memory, is configured to: retrieve a connection record thatcontains transmission information with a first computer system acrossthe computer network; generate a statistical distribution of datacontained in a data payload corresponding to the connection record;determine a first distance between the statistical distribution of datacontained in the data payload and a model distribution of data containedin normal payloads transmitted across the computer network; identify thedata payload as a suspect data payload based on the first distance; anddesignate the first computer system as a suspect computer system inresponse to identifying the suspect data payload.
 10. The system ofclaim 9, wherein the statistical distribution of data contained in thedata payload corresponding to the connection record is a rank orderedbyte frequency count of the data contained in the data payload.
 11. Thesystem of claim 9, wherein the hardware processor is further configuredto select the model distribution from a plurality of model distributionsbased at least in part on a length of the data contained in the datapayload.
 12. The system of claim 9, wherein the first distance iscalculated based on a Mahalanobis distance between the modeldistribution and the statistical distribution of the data contained inthe data payload.
 13. The system of claim 9, wherein the hardwareprocessor is further configured to assign different weight factors toselected byte values of the statistical distribution of the datacontained in the data payload.
 14. The system of claim 9, wherein higherweight factors are assigned to byte values corresponding to operationalcodes of the first computer system.
 15. The system of claim 9, whereinthe hardware processor is further configured to: determine that a seconddistance between the statistical distribution and another connectiondistribution falls within a given tolerance; determine addressinformation associated with the another connection record distribution;identify a second computer system based on the address informationassociated with the another connection record distribution; anddesignate the second computer system associated with the anotherconnection record as the suspect computer system.
 16. A non-transitorycomputer-readable medium containing computer-executable instructionsthat, when executed by a processor, cause the processor to perform amethod for tracing the location of an origin computer system thatinitially transmits a suspect data payload across a computer network toan end target computer system, the method comprising: retrieving, usinga hardware processor, a connection record that contains transmissioninformation with a first computer system across the computer network;generating, using the hardware processor, a statistical distribution ofdata contained in a data payload corresponding to the connection record;determining, using the hardware processor, a first distance between thestatistical distribution of data contained in the data payload and amodel distribution of data contained in normal payloads transmittedacross the computer network; identifying, using the hardware processor,the data payload as a suspect data payload based on the first distance;and designating, using the hardware processor, the first computer systemas a suspect computer system in response to identifying the suspect datapayload.
 17. The non-transitory computer-readable medium of claim 16,wherein the statistical distribution of data contained in the datapayload corresponding to the connection record is a rank ordered bytefrequency count of the data contained in the data payload.
 18. Thenon-transitory computer-readable medium of claim 16, wherein the methodfurther comprises selecting the model distribution from a plurality ofmodel distributions based at least in part on a length of the datacontained in the data payload.
 19. The non-transitory computer-readablemedium of claim 16, wherein the first distance is calculated based on aMahalanobis distance between the model distribution and the statisticaldistribution of the data contained in the data payload.
 20. Thenon-transitory computer-readable medium of claim 16, wherein the methodfurther comprises assigning different weight factors to selected bytevalues of the statistical distribution of the data contained in the datapayload.
 21. The non-transitory computer-readable medium of claim 16,wherein higher weight factors are assigned to byte values correspondingto operational codes of the first computer system.
 22. Thenon-transitory computer-readable medium of claim 16, wherein the methodfurther comprises: determining that a second distance between thestatistical distribution and another connection distribution fallswithin a given tolerance; determining address information associatedwith the another connection record distribution; identifying a secondcomputer system based on the address information associated with theanother connection record distribution; and designating the secondcomputer system associated with the another connection record as thesuspect computer system.